To defend your organization against cyber threats, you need a clear picture of the current threat landscape. This means constantly expanding your knowledge about new and ongoing threats.
There are many techniques analysts can use to collect crucial cyber threat intelligence. Let's consider five that can greatly improve your threat investigations.
Pivoting on С2 IP addresses to pinpoint malware
IP addresses used by malware to communicate with its command and control (C2) servers are valuable indicators. They can help not only update your defenses, but also identify related infrastructure and tools belonging to threat actors.
This is done using the pivoting method, which lets analysts find additional context on the threat at hand with an existing indicator.
To perform pivoting, analysts use various sources, including threat intelligence databases that store large volumes of fresh threat data and offer search capabilities.
One useful tool is Threat Intelligence Lookup from ANY.RUN. This service allows you to search its database using over 40 different query parameters, such as:
- Network indicators (IP addresses, domain names)
- Registry and file system paths
- Specific threat names, file names, and hashes
ANY.RUN provides data associated with the indicators or artifacts in your query, along with sandbox sessions where the data was found. This helps analysts pin down a certain indicator or their combination to a specific attack, discover its context, and collect essential threat intelligence.
To demonstrate how it works, let's use the following IP address as part of our query: 162[.]254[.]34[.]31. In your case, the initial indicator may come from an alert generated by an SIEM system, a threat intelligence feed, or research.
The overview tab shows the key results of our search |
Submitting the IP address to TI Lookup instantly allows us to see that his IP has been linked to malicious activity. It also lets us know that the specific threat used with this IP is AgentTesla.
The service displays domains related to the indicator, as well as ports used by malware when connecting to this address.
Suricata IDS rule linked to the queried IP indicates data exfiltration via SMTP |
Other information available to us includes files, synchronization objects (mutexes), ASN, and triggered Suricata rules that were discovered in sandbox sessions involving the IP address in question.
Suricata IDS rule linked to the queried IP indicates data exfiltration via SMTP |
We can also navigate to one of the sandbox sessions where the IP was spotted to see the entire attack and collect even more relevant information, as well as rerun the analysis of the sample to study it in real-time.
Test TI Lookup to see how it can improve your threat investigations. Request a 14-day free trial.
Using URLs to expose threat actors' infrastructure
Examining the domains and subdomains can provide valuable information on URLs used for hosting malware. Another common use case is identifying websites used in phishing attacks. Phishing websites often mimic legitimate sites to trick users into entering sensitive information. By analyzing these domains, analysts can uncover patterns and discover broader infrastructure employed by attackers.
URLs matching our search query for Lumma's payload hosting infrastructure |
For instance, the Lumma malware is known to use URLs that end in ".shop" to store malicious payloads. By submitting this indicator to TI Lookup along with the threat's name we can zoom in on the latest domains and URLs used in the malware's attacks.
Identifying threats by specific MITRE TTPs
The MITRE ATT&CK framework is a comprehensive knowledge base of adversary tactics, techniques, and procedures (TTPs). Using specific TTPs as part of your investigations can help you identify emerging threats. Proactively building your knowledge about current threats contributes to your preparedness against potential attacks in the future.
Most popular TTPs over the part 60 days displayed by ANY.RUN's Threat Intelligence Portal |
ANY.RUN provides a live ranking of the most popular TTPs detected across thousands of malware and phishing samples analyzed in the ANY.RUN sandbox.
Sandbox sessions matching a query featuring a MITRE TTP along with a detection rule |
We can pick any of the TTPs and submit it for search in TI Lookup to find sandbox sessions where their instances were found. As shown above, combining T1552.001 (Credentials in Files) with the rule "Steals credentials from Web Browsers" allows us to identify analyses of threats engaging in these activities.
Collecting samples with YARA rules
YARA is a tool used to create descriptions of malware families based on textual or binary patterns. A YARA rule might look for specific strings or byte sequences that are characteristic of a particular malware family. This technique is highly effective for automating the detection of known malware and for quickly identifying new variants that share similar characteristics.
Services like TI Lookup provide built-in YARA Search that lets you upload, edit, store, and use your custom rules to find relevant samples.
Search using a XenoRAT YARA rule revealed over 170 matching files |
We can use a YARA rule for XenoRAT, a popular malware family used for remote control and data theft, to discover the latest samples of this threat. Apart from files that match the contents of the rule, the service also provides sandbox sessions to explore these files in a wider context.
Discovering malware with command line artifacts and process names
Identifying malware through command line artifacts and process names is an effective but uncommon technique, as most sources of threat intelligence do not provide such capabilities.
ANY.RUN's threat intelligence database stands out by sourcing data from live sandbox sessions, offering access to real command line data, processes, registry modifications, and other components and events recorded during the execution of malware in the sandbox.
TI Lookup results for the command line and process search related to Strela stealer |
As an example, we can use a command line string utilized by Strela stealer together with the net.exe process to access a folder on its remote server named "davwwwroot".
TI Lookup provides numerous samples, files, and events found in sandbox sessions that match our query. We can use the information to extract more insights into the threat we're facing.
Integrate Threat Intelligence Lookup from ANY.RUN
To speed up and improve the quality of your threat research efforts, you can use TI Lookup.
Try TI Lookup and see how it can contribute to your threat investigations with a 14-day trial →
ANY.RUN's threat intelligence is sourced from samples uploaded to the sandbox for analysis by over 500,000 researchers across the world. You can search this massive database using more than 40 search parameters.
To learn more on how to improve your threat investigations with TI Lookup, tune in to ANY.RUN's live webinar on October 23, 02:00 PM GMT (UTC +0).
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.